
Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 





(Pi) Publication number : 0 537 098 A2 



@ 



EUROPEAN PATENT APPLICATION 





Annlifntinn numhor ' A 

n\J\Jtl\*GiW\Jl \ I lUI I IL/CI . JJ&WU IMil 


{^2J int. iri. . uuur I no*f 










Priority: 11.10.91 US 775669 


Inventor : McKelvey, Mark Ambrose 






114 23rd Street S.W. 


/ v. 

% 


Date of publication of application : 


Rochester, Minnesota 55902 (US) 




14.04.93 Bulletin 93/15 


Inventor : Modry, John Arthur 


% 




1211 34th Street N.W. 


Designated Contracting States : 


Rochester, Minnesota 55901 (US) 


DE FR GB 


Inventor : Roubal, Eric Gunter 






4418 14th Avenue N.W. 


Applicant: International Business Machines 


Rochester, Minnesota 55901 (US) 


Corporation 


Inventor : Sandstrom, Andrew Edward 




Old Orchard Road 


1414 Damon Court S.E. 




Armonk, N.Y. 10504 (US) 


Rochester, Minnesota 55904 (US) 






Inventor : Wildt, Patrick Michael 




Inventor : Daniel, Arthur Aulden 


4521 Glen Lane N.W. 




735 Forest Hills Drive S.W. 


Rochester, Minnesota 55901 (US) 




Rochester, Minnesota 55902 (US) 




(75) Representative : Vekemans, Andre 






Compagnie IBM France D6partement de 






Propriet6 Intellectuelle 






F-06610 La Gaude (FR) 



(54) Event handling mechanism having a filtering process and an action association process. 



(57) Computer systems have the ability to monitor 
their components and operations , generate 
events which indicate the occurrence of a moni- 
tored condition (e.g. out of paper, Joe Smith 
just signed on, disk utilization nearing capacity, 
etc .), and process these events in some man- 
ner. 

The events (25) of an event stream or streams 
are "filtered" into categories or groups of 
events (27). Once categorized, an action or 
actions (29) is (are) associated with the 
categorized event The associated action can be 
logging ~ the event routing the event to the 
electronic address of a user, or sending the 
event to an application program for further 
processing. 
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FIELD OF THE INVENTION 

This invention relates to the data processing 
field. More specifically, this invention is an event han- 
dling mechanism that categorizes the events of a raw 
event stream into groups of events and associates an 
action or actions with each group. 

BACKGROUND OF THE INVENTION 

The system software of today's single and multi- 
ple processor environments usually includes a crude 
event handling mechanism. The purpose of this 
mechanism is to provide some degree of control for 
the potentially large amount of event traffic on the 
system's communication networks. It is the responsi- 
bility of an event handling mechanism to route and/or 
coordinate the event traffic to best utilize the resourc- 
es of the system. Existing event handler implementa- 
tions perform various operations on an event stream. 
Examples include the deletion, logging, and/or dis- 
play of certain events, usually on a system console 
monitored by a system administrator. These event 
handlers are "hard coded" to handle particular events 
and particular streams of events. When new events 
are added to an event stream, major modifications to 
the event handler must in turn be made to accommo- 
date them. In some cases an entire new event han- 
dler is required. A new event handler is almost always 
required whenever support for a new or different 
event stream protocol is desired. This situation is fur- 
ther complicated when one considers a system that 
supports multiple event streams and thus includes 
multiple event handlers. In this latter system, the ad- 
dition of a newly supported protocol not only means 
that a new event handler is required, but it also means 
that the software that coordinates the event handlers 
must also be rewritten. 

The result of the cost and complexity associated 
with these modifications is the inability to provide sig- 
nificant function to the end user (e.g., system admin- 
istrator). For the most part, the example functions cit- 
ed above (i.e., deletion, logging, and display on a sys- 
tem console) typify current event handler implemen- 
tations. This limited function in turn results in several 
problems: entire categories of event s must be delet- 
ed to accommodate more important categories, some 
events are never seen because the system console 
is unattended when an event appears, and logs are so 
large that it is difficult to detect events of sig nrf icance. 
In general, this makes the system administrator task 
more difficult because that per son has only limited 
control over a targe portion of the information neces- 
sary to perform their job. 

SUMMARY OF THE INVENTION 

It is a principle object of this invention to provide 



for the effective, efficient and cost reduced manage-, 
ment of a computer system's event streams. 

It is another object of this invention to provide the 
system administrator with the ability to dynamically 

5 categorize and re-categorize the events of a system's 
event stream(s). 

It is still another object of this invention to provide 
the system administrator with the ability to dynamical- 
ly modify how the system processes particular events 

10 or groups of events without having to change how the 
events have been categorized. 

These and other objects are accomplished by the 
event handler mechanism disclosed herein. 

Computer systems have the ability to monitor 

is their components and operations, generate events 
which indicate the occurrence of a monitored condi- 
tion (e.g. out of paper, Joe Smith just signed on, disk 
utilization nearing capacity, etc.), and process these 
events in some manner. 

20 The present invention provides significant en- 

hancements to the latter capability. 

The events of an event stream or streams are "fil- 
tered 1 ' into categories or groups of events. Once cat- 
egorized, the invention associates an action or ac- 

25 tions with the categorized event. The associated ac- 
tion can be logging the event, routing the event to the 
electronic address of a user, or sending the event to 
an application program for further processing. 

The filtering process is accomplished through the 

30 use of four discrete components: a filter table, a filter 
table maintenance mechanism, a parsing mecha- 
nism, and a filter table processing mechanism. The fil- 
ter table is maintained by the system administrator, 
and contains a plurality of filter entries. The filter en- 

35 tries in turn contain a sequence number, a group iden- 
tifier, and certain selection criteria. The selection cri- 
teria includes a collection of element types, values, 
and operators. The system administrator uses the fil- 
ter table maintenance mechanism to create, modify, 

40 and delete both the f iter entries and the filter table it- 
self. In doing so, the system administrator is given the 
ability to categorize all events of an event stream. 

The parsing mechanism parse s out select ele- 
ments of each event contained in a raw event stream. 

45 These elements then comprise a standardized event. 
The parsing mechanism produces the same standar- 
dized event regardless of the form of the events in the 
raw event stream. The filter table processing mecha- 
nism then takes the selection criteria of the filter en- 

50 tries and applies them to the element types and val- 
ues of the standardized event. If a match is detected, 
the group identifier is passed to the action mecha- 
nism of the invention. If not a default group identifier 
is passed on. 

55 The action mechanism of the invention entails 

three discrete components: an action table, an action 
table maintenance mechanism, and an action table 
processing mechanism. The action table is main- 
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tained by the system administrator. The action table 
contains a plurality of group or event entries. The 
group entries are used when groups are provided by 
the filtering process discussed above, or when an ap- 
plication program supplies categorized events to this 5 
portion of the invention. In contrast, the event entries 
are used where no grouping or categorization is per- 
formed. The group and event entries contain a group 
or event identifier and associated actions, such as 
routing the event to an electronic address or another 10 
application program. 

The system administrator will use the action tabte 
maintenance mechanism to create, modify, and de- 
lete the group entries, event entries and the action ta- 
ble itself. In doing so, each event or group of events 15 
will be acted upon in the same manner. 

In operation, the action table processing mecha- 
nism will attempt to match the subject group or event 
with a group or event entry in the action table. If there 
is a match, the action table processing mechanism 20 
will route the event to an application program or the 
electronic address of one or more end users. If there 
is not a match, the action table processing mecha- 
nism will route the event to a default destination such 
as the system console or "bit bucket". 25 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows the computer system of the inven- 
tion. 30 

Fig. 2 shows the process flow of the preferred 
embodiment 

Fig. 3 shows the two logical functions of the pre- 
ferred embodiment and their interaction with the sys- 
tem administrator. 35 

Fig. 4 shows the process flow of the filter table 
and action table maintenance mechanisms of the pre- 
ferred embodiment 

Figs. 5 and 7 depict the user interface of the pre- 
ferred embodiment 40 

Figs. 6 and 8 show how the user's input is ma- 
nipulated after its entry. 

Fig. 9 shows the tabte structure of the invention. 

Fig. 11 shows an example event that could be 
handled by the invention. 45 

Fig . 12 shows an exemplary result of the initial 
parsing step. 

Figs. 10, 13, and 14 are flow diagrams describing 
the processes of the preferred embodiment 

Figs. 1 5 and 16 depict alternate embodiments of so 
the invention. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

Fig. 1 shows a block diagram of the computer 
system 10 of the invention. Computer system 10 con- 
tains storage 11, CPU 12, memory 13, event monitor 
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14, event generator 15, event handler 16, and com- 
munications interface 20. Although the discussion of 
the preferred embodiment focuses on events re- 
ceived from communications interface 20, it is impor- 
tant to note t hat the invention also applies equally to 
events received from other internal entities that are 
capable of generating events. 

Fig. 1 also shows connections to other computer 
systems 21 via communications line 22. The inven- 
tion itself is located in event handler 16. Event handler 
16 contains filter mechanism 17, action mechanism 
18, and editor 19. 

In the preferred embodiment, computer system 
10 is an Application System/400 midrange computer 
system, although other computer systems such as 
personal computers and mainframe computer sys- 
tems coutd also be used. In addition, communications 
line 21 could be a direct connection cable, a local area 
network, telecommunications link, or other form of 
operatively connecting computer together. 

Referring now to Fig. 2, events 25 are shown as 
input to event handler 16 of the invention. Events 25 
could represent any type of event stream. All possible 
events that can be generated by event generator 15 
and sent to event handler 16 in a continuous or dis- 
continuous fashion as computer system 10 is operat- 
ing will be referred to herein as an event stream. 
When each event encounters filter 17, it is labeled as 
being a member of a particular event group 27. The 
invention then uses the event group label (event 
group 27) and action table 28 to decide what act ions 
29 are appropriate for this event 25. The various ac- 
tions 29 are then performed by the system. 

Fig. 3 shows event handler 16 in more detail. As 
mentioned above, the events of raw event stream 25 
first encounter filter mechanism 1 7. The filter process 
34 uses a filter table 32 to filter (or label as mentioned 
above) the events into an event group 35. Filter table 
32 contain s filter entries 33. These filter entries are 
used to determine which event group is appropriate 
for the subject event. Once this determination is 
made, event group 35 is passed on to action process 
39. To decide what actions are required, the action 
process 39 compares the group entries 38 of the ac- 
tion table 37 to the event group 35. Action executer 
41 then uses this information to execute the actions 

Fig. 3 further depicts the ability of t he system ad- 
ministrator 36 to create and modify the filter table 32 
and the action table 37. A "system administrator re- 
ferred to herein is normally one or more persons re- 
sponsible for the continued operation of computer 
system 10. If computer system 10 is a personal com- 
puter, the user of the personal computer orthe person 
responsible for the continued operation of the local 
area network would be considered to be the system 
administrator. Fig. 4 describes this ability in more de- 
tail. 

Referring now to Fig. 4, the system administrator 
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would first elect to work with the event handler func- 
tion 40. The system administrator can choose which 
filter to work with and what type of filter he or she 
would like it to be. These choices are significant in 
that they give the system administrator control over 
what filters are used for what purposes. This flexibility 
is important because the event handler of the prefer- 
red embodiment utilizes different filter tables in differ- 
ent situations. Next, the system administrator must 
elect to work with the action table 49 or work with the 
filter table 42. Once the choice has been made, the 
system administrator can create , change, delete, or 
print either of the two logical constructs (i.e. the filter 
table or the action table). Another option at this level 
is the ability to perform operations on the entries of 
either of the logical constructs 44 and 45. An entry 
can be added, copied, changed, removed, displayed , 
or renamed, 46 and 47. 

Fig. 5 depicts the screen that is seen when the 
system administrator elects to work with the filter ta- 
ble's entries. Each filter entry contains a sequence 
number 50, a group identifier (group 51), and selec- 
tion criteria (selection data 52). Sequence number 50 
is used to control the order in which the filter table is 
searched. Group identifier 51 represents the catego- 
ry in which events can be placed. The selection cri- 
teria 52 is used to determine the category in which 
the subject event belongs. It does so, by using the 
elements of each event. In particular, the selection 
criteria is used to determine whether an event's ele- 
ment types and the associated values satisfy the test 
set forth in the selection criteria itself. Boolean ex- 
pressions which include relational operators. Boolean 
operators, or both are used to create the "test" of the 
selection criteria. 

Fig. 6 depicts the expression f low of the screen 
shown in Fig. 5. The add filter entry function 60 con- 
verts the user information into a device specific data 
format 63. In the preferred embodiment, the use of 
the add filter entry function 60 results in the informa- 
tion being parsed 61 and then converted into an opti- 
mized form 62. The prefer red embodiment uses a 
generic parser which first converts the expression 
into an infix binary expression tree containing rela- 
tional and Boolean operators. The filter table parser 
then converts the tree into a prefix data stream for 
high performance string- based evaluation. The de- 
vice specific data format 63 is a single stream prefix 
expression that contains a length, a Boolean or rela- 
tional operator, and the right and left sub-expressions 
recursively listed. The single stream representation 
containing lengths and recursive expressions allows 
for optimized evaluations by reducing the number of 
sub-expression evaluations needed. It is in this fash- 
ion that the system administrator's categorization 
scheme is represented in the filter table 64. 

Fig. 7 depicts the screen that is seen when the 
system administrator elects to work with the action ta- 



EP 0537098A2_L> 



ble's entries. Each action table entry contains a group 
identifier (group 70) and at least one associated ac- 
tion 71. Associated actions can be routing the event 
to one or more electronic addresses of specific users, 

5 logging the event in a specific log, or sending the 
event to an application program , as shown in Fig. 7. 

Fig. 8 depicts the expression flow of the screen 
shown in Fig. 7. In the preferred embodiment, the use 
of the add group entry function 80 results in the infor- 

10 matron being converted into a generic form 81 and 
then into an optimized form 82. The data's resultant 
form is device specific 83. 

It is in this fashion that the system administrator's 
action association scheme is represented in action ta- 

15 ble 84. In the preferred embodiment, the add group 
entry function 80 converts the specific action (para- 
meter) information 85 into generic actions ((action 1 , 
parameter 1)... (action N, parameter N)) format 81. 
The generic format 81 allows the add group entry 

20 function 80 to convert any action into the internal de- 
vice specific data 83. The internal device representa- 
tion 83 identifies the data as a group entry which 
identifies the group (category), and lists the actions 
and parameters. 

25 Fig. 9 shows the combined filter table/action ta- 

ble structure 90 of the preferred embodiment. 
Though it is conceptually easier to think of the filter 
table and action table as separate data structures, 
they are actually combined into a single data struc- 

30 ture in the preferred embodiment In the preferred 
embodiment, keys for filter 93 and group entries 92 
are placed in index 91. When retrieval is needed, the 
offsets in the index are used to gain access to the 
data area 94 where the data 95 is stored. 

35 Fig. 1 0 depicts the four conceptual entities of the 

filter process (first described as the filter function at 
17 in Fig, 1). The filter table and filter maintenance 
mechanism were explained in the discussion of Figs. 
4, 5, 6. The parsing mechanism 101 is responsible for 

40 converting the raw data events 1 00 into standardized 
events 1 02. The event of Fig. 11 is an example of what 
an event could look like prior to parsing. As was men- 
tioned in the discussion of Fig. 5, the filter table's se- 
lection criteria is primarily concerned with the event's 

45 element types 111 and the associated values 112. 
Hence, it is the parsing mechanism's task to parse out 
the important elements and assign them a type. It is 
particularly important that this is done consistently 
regardless of the type of event received. An example 

so is shown in Fig. 12 where only those elements that 
are actually needed are placed into t he standardized 
event. Returning now to Fig. 10, it is seen that the 
standardized event is presented to the filter table 
processing mechanism 103. The filter table process- 

55 ing mechanism 103 will use the selection criteria of 
the filter entries from filter table 105 to discern a 
match. Once accomplished, the filter processing 
mechanism 103 will pass the group identifier (event 

4 
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group 104) to the action processing function. 

Fig. 13 describes action processing (first descri- 
bed as action mechanism 18 in Fig. 1 ). The action ta- 
ble and action table maintenance mechanism were 
described in the discussion regarding Figs. 4, 7, and 5 
8. The action table processing mechanism 131 uses 
the event group passed to it by the filter table proc- 
essing mechanism to locate the appropriate action 
132 contained in the action table 133. Once located, 
the action table processing mechanism 131 passes 10 
the action 132 on to be executed as indicated. 

Fig. 14 is a flow diagram that shows the steps 
used by the filter processing 148 and the action table 
processing 149 mechanisms and how the two mech- 
anisms interact. The filter processing mechanism be- 
gins by retrieving the first filter entry at block 140. The 
filter processing mechanism will the n traverse the ex- 
pression tree of Fig. 6 and attempt to locate a match 
141. If a match is achieved, the associated group 
identifier is passed to the action table processing 
mechanism 149. If a match is not found, the next filter 
entry is retrieved at block 143 and the process is re- 
peated. If a match is not achieved before the last filter 
entry is evaluated, a default group identifier (which 
automatically "matches" events not matched by other 
entries) is used. When the action table processing 
mechanism 149 receives the group identifier, it will at- 
tempt to locate the correct group entry in the action 
table 144. If the group identifier exists within the ac- 
tion table, the associated action is executed by block 
147. If the group identifier does not exist within the 
action table, a default entry is used in block 146. This 
results in a default action being passed on to block 
147. 

Fig. 15 depicts one possible alternate em bod i- 35 
ment. In this embodiment, a filter process could be 
used without the companion action processing. The 
application program 150 would receive the event 
groups 152 directly and perform both the action as- 
sociation function and action execution function. Al- 40 
though this embodiment does not provide the flexibil- 
ity of the preferred embodiment, it still represents an 
improvement over existing implementations. The sys- 
tem administrator 151 retains the flexibility of being 
able to control how events are to be categorized. 45 

The second alternate embodiment, shown in Fig. 
16, is the inverse of the first I n this embodiment, an 
action process is used without the companion filter 
processing. The application program 160 provides 
group information 1 61 directly to the action process so 
164. This can be done in "real time" or be the result 
of a previous filtering activity of the same or different 
filter type. The action process then supplies the ac- 
tions back to the application program 166. The appli- 
cation program 160 then executes the actions just as 55 
in the preferred embodiment. 

A third alternate embodiment is a variation of the 
second. In this embodiment, the action processing 



would accept raw events directly without the need for 
prior handling by either the filter process or an appli- 
cation program. The system administrator would use 
the action table to associate events to actions rather 
than groups of events to actions. In that way, the sys- 
tem administrator would have the power to create and 
modify how the computer system reacts to certain 
events. 



Claims 

1 . A method for handling events in an event stream, 
said method comprising the steps of: 

15 creating a categorization scheme; 

receiving as input said events; and 
applying said events to said categorization 
scheme to categorize said events into groups of 
events. 

20 

2. The method of claim 1 wherein said creating step 
further comprises the steps of. 

accepting user input to create and modify 
said categorization scheme; and 
25 parsing said user input into a device spe- 

cific representation. 



3. The method of claim 2 wherein said creating step 
further comprises the step of: 

inputting a plurality of sequentially ar- 
ranged filter entries into a filter table. 



30 



The method of claim 3 wherein said inputting step 
further comprises the step of: 

adding a group identifier, a sequence 
number, and a set of selection criteria to each of 
said filter entries. 

The method of claim 4 wherein said adding step 
further comprises the step of: 

entering, as part of said selection criteria 
a set of element types, values, and operators. 

The method of claim 5 where in said entering step 
further comprises the step of: 

placing a wild card character identifier into 
said value. 

The method of claim 1 wherein said receiving 
step further comprises the step of: 

parsing said events into standardized 
events. 

The method of claim 6 wherein said applying step 
further comprises the steps of: 

using said sequence numbers to search 
through said filter entries; 

matching said element types and said val- 
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ues to a particular element's type and value; and 
interpreting said wild card character iden- 
tifiers. 

parsing said events into standardized 
events. 

9. An apparatus for handling events in an event 
stream, said apparatus comprising: 

means for creating a categorization 
scheme; 

means for receiving as input said events; 
and means for applying said events to said cate- 
gorization scheme to categorize said events into 
groups of events. 

10. The apparatus of claim 9 wherein said means for 
creating said categorization scheme further com- 
prises: 

means for accepting user input to con- 
struct and modify said categorization scheme. 

11. The apparatus of claim 10 wherein said means for 
accepting user input further comprises: 

means for parsing said user input into a 
device specific representation. 

12. The apparatus of claim 11 wherein said categor- 
ization scheme comprises a filter table, said filter 
table comprising a plurality of sequentially ar- 
ranged filter entries, each of said filter entries 
comprising a group identifier, a sequence num- 
ber, and a set of selection criteria. 

1 3. The apparatus of claim 1 2 wherein said set of se- 
lection criteria comprises a set of element types, 
values, and operators, said operators being rela- 
tional. 

14. The apparatus of claim 13 wherein said operators 
are Boolean. 

15. The apparatus of claim 14 wherein said value 
comprises a wild card character identifier. 

16. The apparatus of claim 9 wherein said means for 
receiving further comprises: 

means for parsing said events into stan- 
dardized events. 

17. The apparatus of claim 15 wherein said means for 
applying further comprises: 

means for using s aid sequence numbers 
to search through said f Hter entries; 

means for matching said element types 
and said values to a particular element's type and 
value; and 

means for interpreting said wild card char- 
acter identifiers. 



18. A method for receiving an event from an event 
stream and associating particular actions to said 
event, said method comprising the steps of: 
creating an action association scheme; 
5 receiving as input said event; 

determining said particular actions ; and 
outputting said particular actions to an ap- 
plication program. 

10 19. The method of claim 18 wherein said outputting 
step further comprises: 

sending said particular actions to a person 
located at an electronic address on a computer 
system. 

15 

20. The method of claim 18 wherein said creating 
step further comprises the steps of: 

accepting user input to create and modify 
said action association scheme; and 
20 parsing said user input into a device spe- 

cific representation. 

21. The method of claim 20 wherein said creating 
step further comprises the step of: 

25 inputting a plurality of event entries into an 

action table. 

22. The method of claim 21 wherein said inputting 
step further comprises the step of: 

30 adding an event identifier and actions to 

each of said event entries. 

23. The method of claim 22 wherein said determining 
step further comprises the steps of: 

35 using said event identifiers to search 

through said event entries; and 

matching said event identifier to a partic- 
ular event's type. 

40 24. An apparatus for receiving an event from an event 
stream and associating particular actions to said 
event, said apparatus comprising: 

means for creating an action association 
scheme; 

45 means for receiving as input said event; 

means for determining said particular ac- 
tions; and 

means for outputting said particular ac- 
tions to an application program. 

50 

25. The apparatus of claim 24 where in a destination 
of said means for outputting is a person located 
at an electronic address on a computer system. 

55 26. The apparatus of claim 24 wherein said means for 
creating further comprises means for 

accepting user input to create and modify 
said action association scheme; and 
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parsing said user input into a device spe- 
cific representation. 

27. The apparatus of claim 26 wherein said means for 
creating further comprises means for 

inputting a plurality of event entries into an 
action table. 



28. The apparatus of claim 27 wherein said means for 
inputting further comprises means for: 

adding an event identifier and actions to 
each of said event entries. 
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29. The apparatus of claim 28 wherein said means for 

determining further comprises means for 15 

using said event identifiers to search 
through said event entries; and 

matching said event identifier to a partic- 
ular event. 

20 



25 



30 



35 



40 



45 



50 
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